From be33c02604900293d44795531aca5cec9e7d1098 Mon Sep 17 00:00:00 2001
From: Chris Nightingale <cnightingale@gitlab.com>
Date: Tue, 27 Oct 2020 12:14:40 +0200
Subject: [PATCH 1/2] Added logging for auth request and IP address

---
 lib/gitlab/auth.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 609eef5e36555d..d082270fe17e83 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -42,6 +42,9 @@ def find_for_git_client(login, password, project:, ip:)
 
         raise IpBlacklisted if !skip_rate_limit?(login: login) && rate_limiter.banned?
 
+        # Log user auth request and IP address
+        Gitlab::AppLogger.info("User Auth: Authentication request for username=#{login} from IP #{ip}")
+
         # `user_with_password_for_git` should be the last check
         # because it's the most expensive, especially when LDAP
         # is enabled.
@@ -107,6 +110,8 @@ def find_with_user_password(login, password, increment_failed_attempts: false)
           authenticated_user = authenticators.find do |auth|
             authenticated_user = auth.login(login, password)
             break authenticated_user if authenticated_user
+            Gitlab::AppLogger.info("User Auth: username=#{login} failed authentication")
+            break authenticated_user
           end
 
           user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
-- 
GitLab


From 5f842986a6681f8f1c6d299ee6d5a67847eb1218 Mon Sep 17 00:00:00 2001
From: Chris Nightingale <cnightingale@gitlab.com>
Date: Tue, 27 Oct 2020 14:42:11 +0000
Subject: [PATCH 2/2] Apply 1 suggestion(s) to 1 file(s)

---
 lib/gitlab/auth.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index d082270fe17e83..e2dfc02c70894a 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -109,9 +109,8 @@ def find_with_user_password(login, password, increment_failed_attempts: false)
           # return found user that was authenticated first for given login credentials
           authenticated_user = authenticators.find do |auth|
             authenticated_user = auth.login(login, password)
+            Gitlab::AppLogger.info("User Auth: username=#{login} failed authentication") if ! authenticated_user
             break authenticated_user if authenticated_user
-            Gitlab::AppLogger.info("User Auth: username=#{login} failed authentication")
-            break authenticated_user
           end
 
           user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
-- 
GitLab